Support
EN SV
ISO 27001 ISO 27001

Information security is no longer optional. NIS2, CRA and defence requirements make it a necessity.

Your customers, regulators and insurers are asking: "How do you protect your information?" ISO 27001 gives you the answer — and AmpliFlow makes it live.

Book a demo Explore Annex A

From startup to publicly traded. AmpliFlow fits all.

CIA Triad

Three words. The entire foundation.

Confidentiality, integrity and availability. All information security work revolves around protecting these three. AmpliFlow helps with all of them.

Confidentiality

Right person, right information. Nobody else.

  • Access control
  • Encryption
  • Classification

Integrity

Information is accurate and untampered. Every change is tracked.

  • Audit trail
  • Access control
  • Traceability

Availability

Systems work when needed. Not "soon" — now.

  • Redundancy
  • Backup
  • Incident management
Annex A

93 controls. Organized, not overwhelming.

ISO 27001:2022 defines 93 controls across 4 themes. Click through them — see what each control actually means. In AmpliFlow, you track controls and their status using Custom Lists, connected directly to your management system.

Explore Annex A

93 controls. Click a theme to explore.

93 controls sounds overwhelming. With Custom Lists, risk management, and checklists in AmpliFlow, you can organize and track them.
Why now?

Four forces making ISO 27001 a necessity

This is no longer a question of "should we?" but "when?" Regulatory requirements, customer demands and insurance requirements all drive toward documented information security.

NIS2

NIS2 Directive

18 sectors covered. From energy and transport to digital infrastructure and healthcare. Management becomes personally liable for inadequate cybersecurity.

CRA

Cyber Resilience Act

All digital products sold in the EU must have built-in cybersecurity. Building software or IoT devices? CRA applies to you.

Defence

Defence supply chains

Supplying to defence requires documented information security. ISO 27001 is the industry standard — without certification, no procurement.

Customers

Customer requirements cascade

Your large customers are being audited by their auditors. Next step: they audit you. The question "Do you have ISO 27001?" is coming — better have the answer ready.

Risk-based approach

From asset to action

ISO 27001 requires risk-based thinking. AmpliFlow makes it concrete — link risks to assets, assess them systematically and track treatments end-to-end.

Assets What needs protection?
Threats What could happen?
Vulnerabilities Where are the weaknesses?
Risks How significant is it?
Treatments What do we do about it?

Living risk register

Link risks to assets, threats and vulnerabilities. See how the risk landscape changes over time.

Statement of Applicability

Use Custom Lists to track all 93 controls with justifications and implementation status.

Consolidated risk picture

Link risks to processes and assets. See how the risk landscape changes and which actions are underway.

Centralized documentation

Policies, procedures and risk assessments in one place. Auditors find what they need without you chasing documents.

Learn more about risk management
FAQ

Questions about ISO 27001

Straight answers. No jargon.

What is the Statement of Applicability (SoA)?

The SoA lists all 93 controls in Annex A and documents for each: Is it applicable? Why or why not? How is it implemented? Who's responsible? It's one of the most important documents for the certification audit.

Do we need to implement all 93 controls?

No. You must consider all of them but can exclude those not relevant to your scope and risk profile. Each exclusion must be justified. A physical server room control isn't relevant if you only use cloud services, for example.

How does ISO 27001 relate to NIS2?

NIS2 requires "appropriate and proportionate technical and organizational measures". ISO 27001 gives you a ready-made framework to implement, document and demonstrate these measures. Many organizations use ISO 27001 as their path to NIS2 compliance.

How long does certification take?

Expect 4-9 months depending on your organization's size and maturity. Gap analysis and risk assessment take 1-2 months. Implementation and operation 3-5 months. Internal audit and certification audit 1-2 months.

What does certification cost?

The audit itself typically costs $5,000-15,000 depending on organization size. The bigger investment is implementation time. With AmpliFlow, that time decreases significantly compared to building everything from scratch in spreadsheets.

More questions?

We're happy to help you get started with ISO 27001.

Contact us
Contact

Ready to go from "we should" to "we do"?

Book a demo and we'll show you how AmpliFlow helps you build an ISMS that actually lives. Practical focus, not sales talk.